dnl
dnl проверка SPF записей домена отправителя
dnl
dnl варианты действий при несоответствии рилея отправителя SPF записи домена отправителя
dnl описаны в файле CONFDIR/access-spf в виде:
dnl
dnl sender.domain.tld|action : result1 : result2 : ... | message
dnl
dnl где sender.domain.tld - домен отправителя, допускаются wildcards
dnl     action            - действие (deny, defer или warn)
dnl     result1, result2  - результат проверки соответствия рилея отправителя SPF записи
dnl                       домена отправителя (pass, fail, softfail, none, neutral,
dnl                       err_perm, err_temp; см. exiscan-acl-spec.txt,
dnl                       8. Sender Policy Framework (SPF) support)
dnl     message	          - сообщение, возвращаемое клиенту (опционально)
dnl
dnl пример:
dnl *.aol.com|deny	: fail | AOL sender, but not from AOL-approved relay
dnl *.aol.com|warn	: neutral | AOL sender, but not from AOL-approved relay
dnl aol.com|deny	: fail : neutral | AOL sender, but not from AOL-approved relay
dnl *|deny		: fail
dnl *|defer		: softfail : err_temp
dnl *|warn		: neutral
dnl
dnl исключения из проверки SPF записей указываются в файле CONFDIR/access-spf в виде:
dnl адрес_отправителя|skip : список сетей
dnl
dnl пример:
dnl *@hotmail.com|skip : 194.183.162.130
dnl
dnl необходимо внести в виде исключений адреса backup MX'ов:
dnl *|skip : backup_MX_1 : backup_MX_2
dnl

	warn	set acl_m1	= ${lookup{$sender_address|skip}wildlsearch{CONFDIR/access-spf}{$value}{}}
		condition	= ${if eq{$acl_m1}{}{no}{yes}}
		hosts		= $acl_m1
		set acl_m1	= skip

	warn	condition	= ${if eq{$acl_m1}{skip}{no}{yes}}
		set acl_m0	= ${lookup{$sender_address_domain|pass}wildlsearch{CONFDIR/access-spf}{$value}{}}
		condition	= ${if eq{$acl_m0}{}{no}{yes}}
		spf		= ${extract{1}{|}{$acl_m0}}
		set acl_m1	= skip
	deny	condition	= ${if eq{$acl_m1}{skip}{no}{yes}}
		set acl_m0	= ${lookup{$sender_address_domain|deny}wildlsearch{CONFDIR/access-spf}{$value}{}}
		condition	= ${if eq{$acl_m0}{}{no}{yes}}
		spf		= ${extract{1}{|}{$acl_m0}}
		message		= ${if eq{${extract{2}{|}{$acl_m0}}}{}{\
				$sender_host_address is not allowed to send mail from $sender_address_domain\
				}{${extract{2}{|}{$acl_m0}}}}
		log_message	= $sender_host_address is not allowed to send mail from $sender_address_domain \
				(${extract{1}{|}{$acl_m0}})
	defer	condition	= ${if eq{$acl_m1}{skip}{no}{yes}}
		set acl_m0	= ${lookup{$sender_address_domain|defer}wildlsearch{CONFDIR/access-spf}{$value}{}}
		condition	= ${if eq{$acl_m0}{}{no}{yes}}
		spf		= ${extract{1}{|}{$acl_m0}}
		message		= ${if eq{${extract{2}{|}{$acl_m0}}}{}{\
				$sender_host_address is not allowed to send mail from $sender_address_domain\
				}{${extract{2}{|}{$acl_m0}}}}
		log_message	= $sender_host_address is not allowed to send mail from $sender_address_domain \
				(${extract{1}{|}{$acl_m0}})
	warn	condition	= ${if eq{$acl_m1}{skip}{no}{yes}}
		set acl_m0	= ${lookup{$sender_address_domain|warn}wildlsearch{CONFDIR/access-spf}{$value}{}}
		condition	= ${if eq{$acl_m0}{}{no}{yes}}
		spf		= ${extract{1}{|}{$acl_m0}}
		message		= X-Warn-SPF: ${if eq{${extract{2}{|}{$acl_m0}}}{}{\
				$sender_host_address is not allowed to send mail from $sender_address_domain\
				}{${extract{2}{|}{$acl_m0}}}}
		log_message	= $sender_host_address is not allowed to send mail from $sender_address_domain \
				(${extract{1}{|}{$acl_m0}})